Keeper hacking team made $7 mn attacking 570 e-commerce stores

Keeper, a hacker group, has broken into at least 570 e-commerce stores in 55 countries, including in India, in the last three years.
Online shopping trendsThe hacker group leaked information on more than 184,000 stolen credit cards and generated over $7 million from selling compromised payment cards.

Keeper’s hacking team has allegedly attacked Mumbai-based online jewellery store called ejohri.com in February this year, according to the threat intelligence firm Gemini Advisory.

Over 85 percent of the victim sites operated on the Magento CMS, which is known to be the top target for Magecart attacks and boasts over 250,000 users worldwide, said the Gemini report.

The country hosting the largest selection of these victim e-commerce sites was the US, followed by the United Kingdom and the Netherlands, IANS reported.

The websites hacked include online bicycle merchant milkywayshop.it, Pakistan-based clothing store alkaramstudio.com, Indonesia-based Apple product reseller ibox.co.id and US-based premier wine and spirits seller cwspirits.com, among others.

The Keeper Magecart group has compromised hundreds of domains and likely extracted payment card information from many more that have yet to be uncovered.

With revenue likely exceeding $7 million and increased cybercriminal interest in CNP (Card Not Present) data during the COVID-19 quarantine measures across the world, this group’s market niche appears to be secure and profitable.

Gemini uncovered an unsecured access log on the Keeper control panel with 184,000 compromised cards with time stamps ranging from July 2018 to April 2019.

Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark web median price of $10 per compromised Card Not Present (CNP) card, this group has likely generated upwards of $7 million from selling compromised payment cards.

In mid-2020, Magecart attacks have become a daily occurrence for small to medium-sized e-commerce businesses.

Operating on an outdated content management system (CMS), utilizing unpatched add-ons, or having administrators’ credentials compromised through sequel injections leaves e-commerce merchants vulnerable to a variety of different attack vectors.

The Gemini team has uncovered thousands of Magecart attacks ranging from simple dynamic injection of malicious code using a criminally hosted domain, to leveraging Google Cloud or GitHub storage services and using steganography to embed malicious payment card-stealing code into an active domain’s logos and images.